AgentUniverse Command Injection Vulnerability in MCP Implementation

A critical command injection vulnerability has been identified in the AgentUniverse framework, specifically in versions up to 0.0.18. This vulnerability resides within the MCP (Model Context Protocol) implementation, affecting the MCPSessionManager, MCPTool, and MCPToolkit components. The issue arises from inadequate input validation, allowing user-controlled input to be directly passed to the StdioServerParameters function. This input is then executed as operating system commands via the anyio.open_process() function, without any prior sanitization. As a result, attackers can execute arbitrary commands with the privileges of the AgentUniverse process.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, leading to potential system compromise. Attackers could access sensitive files, establish persistent access through backdoors, exfiltrate data, pivot to other systems within the network, and modify or delete critical files and configurations.

Reproduction

The vulnerability can be reproduced by using the connect_to_server_via_stdio() method in the MCPSessionManager class. User input can be injected through the command and args parameters, which are then executed as system commands. Alternatively, MCPTool and MCPToolkit classes can be used to inject commands via YAML configuration files that specify arbitrary commands and arguments to be executed when the tools are used.